SMB version 3 and file share encryption

Hello Experts,
Ok, so this is a question that has not been asked before here and I wonder how many have actually implemented it or even tried it.

In windows 2012 MS introduced SMB V3. It is superior as we know to previous versions of SMB. However, I have a need to encrypt the traffic (in-flight) from a windows 2012R2 server to another 2012R2 server. I do not care about data at rest. SMB3 offers SMB Encryption so that if a client can communicate via SMB3 and so does the server, then all in-flight data will be fully encrypted.

The question is:
Have you done it before or tested it?
Do you have any input on how it will impact performance given CPU support AES encryption?
How hard is it to implement?
Do you have any reasons why or why not to do it?
Keep in mind, we will be pushing a ton of large data between the two servers continuously.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Have you done it before or tested it

 Do you have any input on how it will impact performance given CPU support AES encryption?
You'll take a small throughput hit. And while file servers generally are not CPU bound, if hour CPU is taxes, such as in a highly virtualized environment, overall performance is also impacted.

How hard is it to implement?

Dead easy.

 Do you have any reasons why or why not to do it?

Why? I'd only do it if there was sensitive data and the network was not physically secure. Why not? You have downlevel clients that don't support SMB3. Each environment is unique o this question is a bit broad.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
onlinerackAuthor Commented:
Thank you for your quick response.
These are going to be physical servers with 32 dedicated cores  (2x node clustered source and 2x node clustered destination).
A lot of data will be pushed via smb3.

Data is sensitive. So we want to encrypt just this file share so during transmission of data we are secure. We have a 10gbps backbone as well.

Our choices are, doing it via SMB3 and copy data that way as I think would be the fastest most secure. Using a software to transfer the data and encrypt it (not using SMB3) will likely not give us the same throughput. What do you think?
Cliff GaliherCommented:
SMB3 *is* software. So asking for a performance comparison to some unspecified software is simply not possible. In a complete vacuum, one could theoretically state the performance difference would not exist. Both are transferring data. Both are encrypting and decrypting. This both are the same.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

onlinerackAuthor Commented:
True and good points.
My question was not as clear, but in theory, SMB3 obviously is years worth of research and work by MS and other vendors. I was thinking the throughput of SMB3 coupled with its fileshare encryption capability may be way ahead of using a (replication) software that would establish socket to socket connection to transmit the data.
Remember we are using 10G backbone, are you aware of any software that could top the SMB3 yet provide us the encryption in-flight?
Or what would be your advice given you have been through the SMB3 and tested encryption?
Cliff GaliherCommented:
Too many variables and options to list. IPsec has been baked into the TCP/IP stack for years. There is more administrative overhead, but with the proper hardware and tuning with offloading capabilities, you could get more throughput. SMB, like NFS, is meant to make sharing easy. But for large known transfers, FTP is still superior, beating SMB3 and HTTP. But isn't architected for "browsing." So for some use cases, FTP over SSL might be a better option. I could go on, but I think I've demonstrated that the follow up questions are just too broad. There is still planning and design solutions that IT Pros get paid to figure out. Can't really be expected to wing it in a forum  like EE.
onlinerackAuthor Commented:
I will give it a shot, in one lab tested showed 1.2TB an hour throughput with SMB. I am thinking this is pretty good results. Agree?
Thank you for your help.
Cliff GaliherCommented:
That seems a bit slow to me. Even with the overhead of SMB and encryption, I'd normally want to see >2TB/hr over a 10Gb link.
onlinerackAuthor Commented:
hmmm... Do you have jumbo frames turned on or any additional configs done if I may ask?
Cliff GaliherCommented:
Jumbo frames, of course. But RSS. For 10Gb NICs this is very important. Or you'll top out at 3Gb/s and one of your CPU cores will be pegged at 100%.
onlinerackAuthor Commented:
Perfect thank you. I may open up additional questions later as we proceed forward. I did not think of the RSS. I am not sure if it is enabled by default.
About the speed: it is pretty useless to say "1TB/h is slow/not slow" if we don't know what you copy and how. This is no benchmark, right? File copy speed depends on file sizes, because the accumulated latency is higher if there are many small files. Also there might be virus scanning in between and so on.
onlinerackAuthor Commented:
Good point, we are looking at 50 to 60GB files adding up to 10TB.
AV is removed from the testing
Small files are not part of this equation.
Ok, I have never seen 10 GBit/s in action, I must confess, but using smbv3 on 1 GBit/s, I got nearly 99% of the theoretical maximum. Please use some test like netio or iperf. Using file copy as a speedtest is useless, because it also depends on storage speed. If your storage (source and target) cannot do 10GBit/s, no wonder...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.